Bug 5664

Summary: DYNAMIC check FPs
Product: Spamassassin Reporter: Henrik Krohns <apache>
Component: RulesAssignee: SpamAssassin Developer Mailing List <dev>
Status: NEW ---    
Severity: minor CC: uhlar
Priority: P5    
Version: 3.2.3   
Target Milestone: Undefined   
Hardware: Other   
OS: other   
Whiteboard:

Description Henrik Krohns 2007-09-30 14:14:44 UTC
header HELO_DYNAMIC_DHCP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S*(?:(?<!
a)cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
header __RDNS_DYNAMIC_DHCP X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=\S*(?:cm|
catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+/i

The "cm" part is FP prone:

cmw2kex02e.rvc.ac.uk
cm0.mx.agent.point2.com
cmdeliver0.st0.spray.net
cmfilter0-ens.phx0m.ensynch.com
cmx0.servicemail24.de
hchlilmtcm0a0.mcleodusa.net
trafficmatt0.clnt.800hosting.net

Maybe change it to (\b|\d)cm(\b|\d).

Also "node" is FP prone:

mail-node-0.i-55.com
node0-www.care2.com
node0.mail0.netdiscounter.de

You should check when stuff like (mx|mail|smtp|www|filter) to negate these.

For some ideas, you can check http://sa.hege.li/badrelay.cf for entries that 
I've been collecting.
Comment 1 Matus UHLAR - fantomas 2008-04-01 07:02:22 UTC
names matching the word "static" should not match RDNS_DYNAMIC too.
some ISPs (including my employer and me as DNS admin) use generic DNS on statically allocated IP's containing the word 'static' which has to indicate that the IP's are not dynamic.
Comment 2 Michael P 2008-04-01 10:48:34 UTC
Try, although not a 'Dynamic' address in the truest sense of the word, addresses at your domain that say static, still do not conform to 'Best Practises' guidelines for email operators, where the domain should reflect the responsible party for the mail server.  If there is a mail server at that IP, or behind that IP, then the domain portion should NOT be nnn.nnn.nnn.static.upstreamprovider.com but something like gateway.operator_domain.com or mail.operator_domain.com etc.. So the check for static may still be a legitimate way to weigh the likelihood of the IP address being simple an access point, and a likely location for trojan generated email vs a properly run email server, with a responsible party to report problems to.  All Up Stream providers should provide full reverse DNS to parties wishing to run email services.  Possibly at the most, the rule should be broken up into two separate rules with different weights, but the recommendations, and the effectiveness of the rule should not be underestimated, whether the naming convention is 'static' or not, it is still an IP address under the responsibility of the upstream provider, and most likely an access point from which trojans, bots can operate.  Technically, the term 'dynamic' is incorrect, but aside from the naming of the rule, the principles are still valid. 
Comment 3 Justin Mason 2008-04-01 12:35:58 UTC
guys, the best way to illustrate these is to attach false positive samples.
Comment 4 Henrik Krohns 2008-04-01 12:38:32 UTC
Justin, I appreciate what you are saying, but this isn't really rocket science. Either a host is legimate looking or not. What do you need samples for?